Configuring Forwarding Profiles for the Zscaler App
The forwarding profile tells the Zscaler App how to treat traffic from your users' systems in different network environments for the Zscaler Internet Access (ZIA) and Zscaler Private Access (ZPA) services. You can configure as many forwarding profiles as you need then select the appropriate one when creating App Profiles. For example, if you have multiple locations with different network information, you can configure different forwarding profiles so that the Zscaler app can recognize the right network for different users and know how to respond upon detecting those networks.
When a user connects to a network, the Zscaler App checks to determine what type of network the user is connected to.
Network Types Recognized by Zscaler App
The Zscaler App recognizes the following three network environments:
On Trusted Network: When a user is connected to a private network that belongs to your organization. To allow the Zscaler App to detect this network, you must set the Trusted Network Criteria (more information below).
VPN Trusted Network: When a user is connected to the trusted network above via a VPN in full-tunnel mode. The VPN must be configured to capture all, and not just some, of the user's traffic to the trusted network by installing a default route in the routing table of the client device.
Note, the Zscaler App does not consider the network a VPN trusted network if:
- The VPN doesn't install a default route and uses some other mechanism to capture all of the user's traffic. In this scenario, the Zscaler App treats the user as Off Trusted Network.
- The default interface description does not contain the words Cisco, Juniper, Fortinet, PanGP, and VPN. If these words are missing, the Zscaler App treats the user as Off Trusted Network.
- The VPN runs in split tunnel mode, so that the Zscaler App takes only some of the user traffic. The VPN may do this by installing routes only for some subnets (for example, 10/8 or 192.168/16) and/or by installing a DNS on the device to resolve specific requests. In this scenario as well, the Zscaler App considers the user as Off Trusted Network.
- Off Trusted Network: When a user is connected to an untrusted network.
NOTE: If your users are running the Zscaler App in conjunction with a VPN client, see Best Practices for Zscaler App and VPN Client Interoperability for important steps to ensure interoperabiltiy.
To add a forwarding profile, complete the steps below.
- From the Zscaler admin portal, go to Policy > Zscaler App Portal.
- In the Zscaler App portal, go to Administration from the top menu, then from the left menu, select Forwarding Profile.
- Click Add Forwarding Profile.
- Enter an alphanumeric Profile Name.
- With Trusted Network Criteria, define how the Zscaler App recognizes when a user is On trusted network. See instructions for Trusted Network Criteria.
- With Forwarding Profile Action, define how the Zscaler App treats traffic from your users' systems for the ZIA service in different network environments. For each network type below, select a forwarding profile action which specifies how the Zscaler App treats the traffic from your users' systems for the ZIA service.
- On Trusted Network
- VPN Trusted Network
- Off Trusted Network
There are four possible forwarding profile actions you can choose for each network type. Click to read more about each option.
- With Forwarding Profile Action for ZPA, define how the Zscaler App treats traffic from your users' systems for the ZPA service in different network environments. For each network type below, select Tunnel if you want the Zscaler App to tunnel traffic for the ZPA service -- in other words, whether you want the Zscaler App to provider the user with access to internal applications.
On Trusted Network
- Tunnel: The Zscaler App uses the ZPA service to provide users with access to internal applications even when users are on trusted networks.
- None: ZPA is disabled, and the Zscaler App does not provide users with access to internal applications. Users access them directly.
VPN Trusted Network
- Tunnel: Do not select this option. For ZPA, the Zscaler App does not forward user traffic if a VPN is also running on the device.
- None: ZPA is disabled, and the Zscaler App does not provide users with access to internal applications.
Off Trusted Network
- Tunnel: The Zscaler App uses the ZPA service to provide users with access to internal applications when users are off trusted networks.
None: ZPA is disabled, and the Zscaler App does not provide users with access to internal applications. Users can only access internal applications if they have some other mechanism for reaching internal networks.
Aftter you choose the behavior for On Trusted Network, if you want the same behavior to apply to either the VPN Trusted Network or Off Trusted Network, you can simply check Same as "On Trusted Network."
- On Trusted Network
- Click Save.
The Trusted Network Criteria defines the criteria a network must meet in order for the Zscaler App to determine that it is one of your trusted networks. Provide the following information about your network, then specify whether the app must verify one or all of these settings in a network to determined that the network is trusted.
- The DNS servers to which your corporate network sends DNS requests. You can enter up to five DNS servers, and the app verifies at least one DNS server.
- The search domains configured for the network. You can enter up to five search domains, and the app verifies at least one search domain.
- A host name and the IP addresses to which the host name resolves when users are on the corporate network. You can enter up to five IP addresses, and the app verifies at least one IP address.
Zscaler recommends selecting the first two conditions, DNS Server and DNS Search Domains for trusted network criteria because they are static properties on the network interface. Hostname and IP resolution, in contrast, is a dynamic property, because the Zscaler App must take the step of resolving a hostname to see if it resolves to the IP address specified in the Trusted Network Criteria. There is a chance that a resolution might fail because of network transition processes. If a resolution fails, then the Zscaler App can incorrectly determine the network is an untrusted one, in which case it applies the wrong forwarding profile action.
To configure Trusted Network Criteria:
- Under Add Condition, select one of the following, then click Add Condition.
- DNS Servers
- DNS Search Domains
- Host Name and IP
The Condition Match field appears, along with the relevant condition field (DNS Servers, DNS Search Domains, or Host Name and Resolved IPs for Host Name).
- Under Condition Match, do one of the following:
- If you are specifying just this one condition, you can skip this step. For example, if you want the Zscaler App to check just for DNS servers to confirm a trusted network and not DNS Search Domains or Host Name and IP, you can skip this step.
- If you are specifying more than just this condition (for example, you want the Zscaler App to check for DNS servers and DNS search domains):
- Select Any if you want the Zscaler App to validate just one of the conditions to determine the network is trusted
- Select All if you want the Zscaler App to validate just all of the conditions to determine the network is trusted
- In the condition field (DNS Server, DNS Search Domain, or Host Name / Resolved IPs for Host Name), do the following:
- Under DNS Servers, enter the IP addresses of the DNS servers to which DNS requests on this trusted network are sent.
- Under DNS Search Domain, enter the search domains that have been configured for this trusted network.
- In Host Name, enter a host name. In Resolved IPs for Host Name, enter the IP address(es) to which that host name resolves when a user is on this trusted network.
- Go back to step 1 to add another condition if necessary.
In Tunnel mode, the App tunnels traffic at the Network (IP) layer. It captures user traffic by setting IP routes on user devices. The App forwards all port 80/443 traffic to the Zscaler service through a routing mode tunnel (Z-tunnel) with an HTTP Connect header.
If you choose this mode, the System Proxy option appears. Define the proxy settings your users’ systems follow by selecting one of the following:
- Enable: Select this option if you want to define specific system proxy settings for user devices. For example, you may want most user traffic to go to Zscaler with the App, but you may want some traffic to go directly to the web or to a third party proxy service. In the Custom PAC URL field that appears, enter your custom PAC URL. Zscaler fetches the PAC file at the specified URL and enforces your chosen proxy settings. The Zscaler App also ensures that users cannot tamper with their proxy settings.
- Not Enforced: Select this option to allow users to change proxy settings. If users don't change proxy settings, by default, all user traffic goes through the Zscaler App.
- Disable: Select this option if you want to forward all user traffic to Zscaler with the App and disable all other proxy settings on the user's device. For example, you can prevent inappropriate use of tools like anonymizer.com because the Zscaler App ensures that no other proxy settings are applied on user devices.
NOTES: If your users run a VPN client on their devices while running the Zscaler App:
- Zscaler recommends that you don't select Tunnel mode for any network type. Zscaler advises this because VPN clients work at the network (IP) layer, which is the same layer the Zscaler App works in if you select Tunnel mode. Both the VPN and the Zscaler App working at the same layer increases the likelihood of interoperability problems.
Instead, Zscaler recommends Tunnel with Local Proxy mode for all networks in this case. At the least, Zscaler strongly recommends you don't select Tunnel for VPN Trusted Network if users are simultaneously running a VPN client. If your organization still decides to use the App in Tunnel mode alongside a VPN client, see Best Practices for Zscaler App and VPN Client Interoperability for steps to take to prevent connectivity issues.
- If your VPN runs in split-tunnel mode, ensure that you allow traffic destined for the VPN gateway to bypass the Zscaler App. See Step D in Best Practices for Zscaler App and VPN Client Interoperability.
Tunnel with Local Proxy
When configuring forwarding profiles, this is the default mode selected for all network types. In this mode, the Zscaler App sets proxy settings on user devices so that all user traffic is tunneled to Zscaler. The App does this by automatically installing a PAC file on the system to force all traffic to go to the local host. Zscaler recommends this forwarding profile for the following reasons:
- In Tunnel with Local Proxy mode, users don't encounter interoperability issues if they have VPN clients running alongside the Zscaler App. This is because in this mode, the Zscaler App works at the Application layer, instead of the IP layer, where VPN clients work. (In contrast, when the Zscaler App runs in Tunnel mode, interoperability issues arise because the App and the VPN client contend for user traffic at the same layer.) In Tunnel with Local Proxy mode, the App allows the VPN to take traffic as needed, but sets proxy settings to ensure all user traffic is still protected by Zscaler.
- In contrast to when you use the Enforce Pac mode, the App transparently handles authentication for users. This way, users don't have to reauthenticate for applications when they open new browsers and are less likely to run into issues accessing applications that aren't browser-based.
When you select this mode, the Custom PAC URL field appears. If using Zscaler App version 1.1.1 or later, you are not required to add a custom PAC file when selecting Tunnel with Local Proxy. If using a version earlier than 1.1.1, see instructions.
- If you have a VPN client running simultaneously with the Zscaler App, ensure VPN clients aren't configured to change proxy settings on user devices. If VPN clients tamper with proxy settings in any way, the Zscaler App does not forward traffic properly.
- In this mode, you can choose to Disable Loopback Restriction, Override WPAD, and Restart WinHTTP Service for Windows devices to ensure the Zscaler App can properly set proxy settings on those devices. See Configuring Zscaler App Profiles for details.
If your organization is using Zscaler App earlier than 1.1.1, you must create a local proxy PAC file that includes a proxy statement to a loopback IP address and port (127.0.0.1:9000). The Zscaler App installs this PAC file on users' systems and is able to capture all traffic from the system.
If you select this option and select:
Enable: The Zscaler App does not tunnel any traffic. Instead, when you enable this option, a Custom PAC URL field appears. You can enter the URL for your organization's PAC file. The Zscaler App enforces on your users systems the proxy settings specified by this PAC file and prohibits users from changing the proxy settings.
Keep in mind that if you enable this mode, the Zscaler App does not transparently handle authentication for users. Users have to reauthenticate for applications when they open new browsers and may run into issues accessing applications that aren't browser-based.
- Disable: The Zscaler App doesn't allow users to change proxy settings on the system, but it does not forward user traffic to Zscaler.
In None mode, the Zscaler App does not tunnel any traffic at all. It performs no actions on the user device.
About the Default Forwarding Profile
Zscaler provides a default forwarding profile that applies automatically if you don't configure additional forwarding profiles. It is the last forwarding profile in the table on the forwarding profile page.
Default Forwarding Profile Action for ZIA
- On Trusted Network: When the user is connected to a trusted network, the Zscaler App uses the Tunnel mode to forward user traffic to Zscaler. It also disables System Proxy settings so that users cannot change proxy settings to bypass the Zscaler App for web security.
- VPN Trusted Network: When a VPN client on the user's device is running in full-tunnel mode, the Zscaler App does not forward user traffic to Zscaler. All proxy settings are disabled to ensure users do not send their traffic to a different proxy.
- Off Trusted Network: When the user is off a trusted network, the Zscaler App uses the Tunnel mode to forward user traffic to Zscaler. It also disables System Proxy settings so that users cannot change proxy settings to bypass the Zscaler App for web security.
Default Forwarding Profile Action for ZPA
- On Trusted Network: The Zscaler App uses the ZPA service to provide users with access to internal applications even when users are on trusted networks.
- VPN Trusted Network: ZPA is disabled, and the Zscaler App does not provide users with access to internal applications.
- Off Trusted Network: The Zscaler App uses the ZPA service to provide users with access to internal applications even when users are on trusted networks.